---
layout: docs
page_title: Agent Sidecar Injector Installation
sidebar_title: Installation
description: The Vault Agent Sidecar Injector can be installed using Vault Helm.
---

# Installing the Agent Injector

The [Vault Helm chart](/docs/platform/k8s/helm) is the recommended way to
install and configure the Agent Injector in Kubernetes.

~> The Vault Agent Injector requires Vault 1.3.1 or greater.

To install a new instance of Vault and the Vault Agent Injector, first add the
Hashicorp helm repository and ensure you have access to the chart:

```shell-session
$ helm repo add hashicorp https://helm.releases.hashicorp.com
"hashicorp" has been added to your repositories

$ helm search repo hashicorp/vault
NAME           	CHART VERSION	APP VERSION	DESCRIPTION
hashicorp/vault	0.5.0        	           	Install and configure Vault on Kubernetes.
```

Then install the chart and enable the injection feature by setting the
`injector.enabled` value to `true`:

```bash
helm install vault hashicorp/vault --set="injector.enabled=true"
```

Upgrades may be performed with `helm upgrade` on an existing install. Please
always run Helm with `--dry-run` before any install or upgrade to verify
changes.

You can see all the available values settings by running `helm inspect values hashicorp/vault` or by reading the [Vault Helm Configuration
Docs](/docs/platform/k8s/helm/configuration). Commonly used values in the Helm
chart include limiting the namespaces the injector runs in, TLS options and
more.

## TLS Options

Admission webhook controllers require TLS to run within Kubernetes. At this time
the Vault Agent Injector supports two TLS options:

- Auto TLS generation (default)
- Manual TLS

### Auto TLS

By default, the Vault Agent Injector will bootstrap TLS by generating a certificate
authority and creating a certificate/key to be used by the controller. If using
Vault Helm, the chart will automatically create the necessary DNS entries for the
controller's service used to verify the certificate.

### Manual TLS

If desired, users can supply their own TLS certificates, key and certificate authority.
The following is required to configure TLS manually:

- Server certificate/key
- Base64 PEM encoded Certificate Authority bundle

For more information on configuring manual TLS, see the [Vault Helm cert values](/docs/platform/k8s/helm/configuration#certs).

## Namespace Selector

By default, the Vault Agent Injector will process all namespaces in Kubernetes except
the system namespaces `kube-system` and `kube-public`. To limit what namespaces
the injector can work in a namespace selector can be defined to match labels attached
to namespaces.

For more information on configuring namespace selection, see the [Vault Helm namespaceSelector value](/docs/platform/k8s/helm/configuration#namespaceselector).
